Beneath the surface of a cyberattack

A deeper look at business impacts

Do leaders accurately gauge the impact a cyberattack can have on their organization? Do common assumptions about the costs and recovery process associated with data breaches paint a clear picture? This paper considers—in financial terms—the broad and extended business impact of cyberattacks, including both direct and intangible costs.

Assumptions can be misleading

Common perceptions about the impact of a cyberattack are typically shaped by what companies are required to report publicly—primarily theft of personally identifiable information (PII), payment data, and personal health information (PHI). Discussions often focus on costs related to customer notification, credit monitoring, and the possibility of legal judgments or regulatory penalties. But especially when PII theft isn’t an attacker’s only objective, the impacts can be even more far-reaching.

What does a cyberattack really cost? Regulatory fines, public relations costs, breach notification and protection costs, and other consequences of large-scale data breaches are well-understood. But the effects of a cyberattack can ripple for years, resulting in a wide range of “hidden” costs—many of which are intangible impacts tied to reputation damage, operational disruption or loss of proprietary information or other strategic assets.

Look behind the scenes in two sample scenarios and see how business performance can be challenged over a multi-year period when a cyberattack occurs. In one case, a cyberattack against a health insurance company appears to be a typical case of patient data loss but has deeper implications. The other example looks at the impact of intellectual property theft against a technology manufacturer. Combining cyber risk knowledge with business valuation and financial quantification methods, this paper draws essential lessons about the direct costs and the intangible impacts of a cyber crisis.

Fourteen cyberattack impact factors

To gauge the potential impact of a cyberattack, there are 14 impact factors that business leaders should consider. “Above the surface” are direct costs commonly associated with data breaches. “Beneath the surface” are potential impacts that are less understood and rarely revealed to the public eye, many of which are intangible costs that are difficult to quantify, including damage to trade name, loss of intellectual property, or costs associated with operational disruption.

The long trail of cyberattack impacts

Beyond the initial incident triage, there are impact management and business recovery stages. These stages involve a wide range of business functions in efforts to rebuild operations, improve cybersecurity, and manage customer and third-party relationships, legal matters, investment decisions, and changes in strategic course.

Cyberattack readiness: From fear to confidence

Prepared with a more realistic understanding of the potential impact of a cyberattack, executives can invest in risk-focused programs to be more secure, vigilant, and resilient, and gain greater confidence in their organization’s ability to thrive, even in the face of a cyber crisis.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.